I am using LDAP authentication on my Ubuntu 11.10 server. I installed libpam-ldap, and configured things accordingly. It works great, except that I get this error every once in a while when I try to sudo:

sudo: setreuid(ROOT_UID, user_uid): Operation not permitted

I know I have sudoers set up correctly, since it works most of the time. It's not just my log in either, others have the same problem when I have it. When this error is occurring, I can't ssh in with my regular system user at all. When I sign in directly, I can't get any gnome-terminal to start.

Once I restart the server, the problem goes away. 'Course, that's not a solution, if it was a prod server, I'd be in trouble.

How do I fix this?

Edit 3/1/12: I just figured out that if stop and start the nscd service, the problem goes away.

service nscd stop
service nscd start

Not much of a solution since I have to be logged into the server directly, not via ssh.

I tried libnss-ldapd, but I couldn't get it to let me authenticate via ldap. I probably missed some part of the configuration, but I can't figure out what. So, what other solutions are there?
–
David R.Mar 1 '12 at 19:37

The libnss-ldapd libraries worked for me. I purged libnss-ldap and libpam-ldap and installed libnss-ldapd and libpam-ldapd.
–
ChrisMay 8 '12 at 4:21

libnss-ldapd works but libpam-ldap breaks vsftpd :( It can be made to work by manually configuring /etc/pam.d/vsftpd and commenting out @include common-auth and put info in manually. What a pain!
–
ChrisMay 8 '12 at 5:34

So, does it break vsftpd for regular system accounts, or just LDAP accounts? I really need to find some time to test libnss again. I'm positive it's the solution, but I keep missing some key configuration somewhere when I try it...
–
David R.May 8 '12 at 13:48

1 Answer
1

This is a known bug that was introduced when Debian (and therefore Ubuntu) switched from using OpenSSL to GnuTLS with OpenLDAP because of the licensing difficulties with OpenSSL. The problem is with the way libgcrypt (the current crypto backend for GnuTLS) initializes. The problem has been around since Ubuntu 9.10 and hasn't really been addressed because upstream GnuTLS is switching from libgcrypt (which evidently has other problems as well) to libnettle. Until this change makes it downstream, there are three possible work arounds, all of which are enumerated in the bug report above.

Compilelibgnutls26 from source to uselibnettle instead of libgcrypt

Compilelibldap from source to useopenssl instead of gnutls26

Uselibnss-ldapd instead of libnss-ldap. This has several variations. First use libpam-ldap which pulls in libnns-ldap as a dependency which makes configuration complicated. And second, use libpam-ldapd which is not complete. It especially lacks all the pam_* configurations which allow limiting subsets of users. In order to overcome this deficiency you could use the nssov overlay with slapd, but this is not included in slapd with Ubuntu (So you would need to compile from source). libpam-ldapd uses the nslcd daemon to handle the ldap lookups; it therefore uses /etc/nslcd.conf
instead of /etc/ldap for configuration. Of particular note, you could use the pam_authz_search to restrict authorization. See man nslcd.conf for details. There is also a pretty good howto here, and here if you need to configure startTLS.

UPDATE: As of 5/29/2012 a bug fix was available in the proposed repository for Lucid, Natty, and Oneiric. This fixed the issues with LDAP logins; however, as of 9/6/2012 this new patch has been shown to break other packages1, and has been removed. Also, as documented in this bug, the workaround using nscd, no longer works at all. This is an unfortunate regression, and worse, the problem isn't really fixed in Precise and Quantal. Ultimately, the only real fix is to ditch libgcrypt11 in favor libnettle4. The newer libgnutls28 in Precise and Quantal already do this, but libldap still uses libgnutls26.

The instructions to compilelibgnutls26 from source are explained in comments 22, 23, and 24 in this bug report. But the instructions seem to only work for Precise.

So, I was about to try setting this up again on a 12.04 test server, but from your update, I'd have to compile libgnutls26. Since I don't have enough users that LDAP auth is essential, I think I'll not use LDAP auth for the foreseeable future. Thanks for your help, Chris, especially the updates. Really appreciated.
–
David R.Nov 2 '12 at 21:54